pfSense & OPNsense to Graylog

Firewall logs are some of the most valuable data a Graylog instance can hold — every blocked packet, every NAT decision, every VPN handshake. Both pfSense and OPNsense are FreeBSD-based and ship built-in remote syslog forwarding, so neither needs an agent: you point them at a Graylog Syslog input and they stream their logs straight in. This guide covers both firewalls, the FreeBSD truncation pitfall that catches everyone, and how to get clean, parsed fields out the other side.

Sources: pfSense · OPNsense  ·  Transport: Syslog UDP / TCP  ·  Graylog input: Syslog
01 — Create the Graylog Input

Before either firewall can send anything, Graylog needs somewhere to listen. Create a dedicated Syslog UDP input so firewall traffic lands on its own port — this makes it easy to route and parse separately from other log sources later.

StepAction
1Go to System / Inputs, select Syslog UDP, click Launch new input
2Tick Global, set Bind address to 0.0.0.0 and Port to 5140
3Save, then confirm the input shows as running
⚠  If your Graylog runs in Docker (as in the earlier setup guide), the example Compose file binds input ports to 127.0.0.1, which blocks remote firewalls. Publish the port on a routable interface — change the mapping to "5140:5140/udp" (drop the 127.0.0.1: prefix) and run docker compose up -d to recreate the container.
ℹ  Ports below 1024 (like the syslog default 514) need elevated privileges and clash with other services, so a high port such as 5140 or 5442 is the common choice for firewall inputs. Whatever you pick must match on both the input and the firewall.
02 — Mind the FreeBSD Truncation Limit

Both firewalls run FreeBSD, and its native syslog daemon truncates each message at roughly 480 bytes. For plain firewall (filterlog) events that's usually fine, but verbose sources — Suricata/Snort alerts, detailed NAT logs — get cut off mid-line and parse incorrectly.

If you need…Use
Basic firewall + system logs, UDPThe built-in remote syslog (covered below) — simplest, no packages
Long messages, TCP, or TLSThe syslog-ng package, which replaces the truncating daemon
ℹ  The built-in daemon on both platforms can only send over UDP. If you need reliable TCP delivery or encrypted transport, that's the other reason to reach for syslog-ng (pfSense: a package; OPNsense: syslog-ng is already the core logging engine and natively offers UDP/TCP/TLS targets).
03 — pfSense: Built-in Remote Logging

pfSense exposes remote logging in the web UI — no shell access required for the basic setup. Navigate to Status → System Logs → Settings and scroll to the Remote Logging Options section.

FieldValue
Enable Remote LoggingChecked
Source AddressDefault (Any) — or your LAN interface if Graylog is across an IPsec tunnel
IP ProtocolIPv4 (match your Graylog reachability)
Remote log serversyour-graylog-ip:5140
Remote Syslog ContentsEverything (or tick only Firewall Events to start)

Click Save. Firewall logs should appear in Graylog's Search within seconds — expect a flood of filterlog entries if firewall logging is enabled.

ℹ  You can enter up to three remote servers, each as host:port. If no port is given, pfSense assumes 514. Keep the :5140 suffix so it matches the input you created.
⚠  Syslog from pfSense is sent in clear text and can contain sensitive details (internal IPs, hostnames, usernames). Never send it across a WAN or unencrypted site-to-site link — keep it on a local interface or route it through a VPN.
04 — pfSense: syslog-ng for TCP & Long Messages

If you're forwarding Suricata/Snort or other verbose logs, install the syslog-ng package (System → Package Manager → Available Packages) to bypass the 480-byte limit and gain TCP. After install it appears under Services → Syslog-ng.

Services → Syslog-ng → General
FieldValue
EnableChecked
Log destinationAdd a destination: Graylog IP, port 5140, transport UDP or TCP
Log source / objectBind the system log source to the new destination via a Log object
ℹ  When using syslog-ng for an IDS, disable the firewall's "Send Alerts to System Log" option on the Suricata/Snort interface so you don't get duplicate, truncated copies through the built-in daemon. Let syslog-ng carry the full EVE/JSON alerts instead.
05 — OPNsense: Built-in Logging Target

OPNsense uses syslog-ng as its core logging engine, so remote forwarding is built in and supports UDP, TCP, and TLS without installing anything. Go to System → Settings → Logging / Targets and add a new target.

FieldValue
EnabledChecked
TransportUDP(4) — or TCP(4) / TLS(4) for reliable or encrypted delivery
ApplicationsNothing selected = forward all applications
LevelsNothing selected = all, or pick info / notice / warn / error / critical…
FacilitiesNothing selected = all facilities
Hostnameyour-graylog-ip
Port5140
Descriptione.g. Graylog syslog

Click Save, then Apply to activate the target. Logs begin flowing to Graylog immediately; check Search to confirm.

ℹ  Leaving Applications, Levels, and Facilities empty forwards everything. To narrow the firehose, select specific applications (e.g. filterlog for firewall events only) once you've confirmed data is arriving.
⚠  Because OPNsense's syslog-ng natively supports TCP and TLS, prefer TLS(4) on any link you don't fully trust. UDP is fine on a dedicated management segment, but it's both unencrypted and lossy under load.
06 — Parse the Firewall Logs

Raw firewall logs arrive as a single unstructured string — the filterlog CSV is packed with fields (interface, action, direction, protocol, source/dest IP and port) that Graylog won't split automatically. Three options, easiest to most involved:

MethodWhat it does
Illuminate content packGraylog's official pfSense/OPNsense security pack: parsing rules, a stream, an index set, and dashboards. Easiest if you have Illuminate.
Community content packOpen-source packs (e.g. the pfsense-graylog repo) bundle an input, extractors, and lookup tables you import under System / Content Packs.
Manual extractorsImport a filterlog extractor JSON onto the input via Manage extractors — splits the CSV into searchable fields.
ℹ  For Illuminate routing, create the Syslog input, open Show received messages to grab its gl2_source_input ID, then set content_name = pfsense_firewall and that input ID in the lookup_adapter_input_routing table. This tags incoming messages as pfSense/OPNsense so the pack processes them correctly.
07 — Route to a Dedicated Index

Firewall logs are high-volume, so give them their own index set and retention rather than mixing them into the default index. This keeps searches fast and lets you age firewall data out independently.

StepAction
1System / Indices → create an index set named e.g. Firewall Logs, index prefix firewall
2Set rotation/retention to taste (a common choice: daily rotation, 90 days retained)
3Streams → create a Firewall stream, rule: source matches your firewall (or message contains filterlog)
4Point the stream at the new index set; tick Remove from Default Stream so events land only in the firewall index
ℹ  One quirk: pfSense's built-in syslog often omits the year/timezone, so Graylog stamps messages with their arrival time in UTC. If timestamps look off, a small pipeline rule to set a real timestamp field fixes downstream tools like Grafana.
08 — Verify & Troubleshoot
SymptomCheck
No messages at allInput running & Global? Port published (not bound to 127.0.0.1 in Docker)? Firewall-to-Graylog path open?
Input shows 0 receivedPort/protocol must match exactly — firewall sends UDP 5140, input listens UDP 5140
Messages cut off mid-lineFreeBSD 480-byte truncation — switch that source to syslog-ng (TCP)
Logs arrive but no fieldsNo extractor/content pack applied yet — see section 06
Quick listener testecho "<34>test from firewall" | nc -u -w1 your-graylog-ip 5140
Watch input liveSystem / Inputs → Show received messages on the firewall input
09 — Reference
ItemValue
Graylog input typeSyslog UDP (or TCP via syslog-ng)
Suggested port5140/udp
pfSense settings pageStatus → System Logs → Settings → Remote Logging Options
pfSense TCP/long messagesServices → Syslog-ng (install package first)
OPNsense settings pageSystem → Settings → Logging / Targets
FreeBSD syslogd limit~480 bytes per message (built-in daemon only)
Common parserIlluminate pfSense/OPNsense pack, or community filterlog extractors